Share this story

Google has admitted that it has been "mistakenly" collecting payload data from open WiFi networks as its Street View cars drove around taking pictures. The company said that it never used any information about who was using those networks and what sites they were visiting, but the company has nonetheless decided to completely stop collecting WiFi data from its Street View cars.

Google put up a blog post last month detailing exactly what kind of data its Street View cars collected in response to an inquiry from German lawmakers. At the time, Google said that it collects SSID information as well as the MAC addresses of WiFi routers it encounters along the Street View route. This is for use in Google's location-based services, like Skyhook Wireless' services that are widely used on mobile devices without GPS.

The company said that it only uses information that is is accessible by anyone walking down the street with a WiFi-compatible device, and that it did not collect any kind of payload data related to those networks. It turns out that statement wasn't true. In a follow-up blog post on Friday afternoon, the company said it reviewed the data that Street View cars had collected and found that some "samples" of information users sent over their networks were indeed saved. As for why it happened, the company says it was essentially a huge oversight.

"In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data," Google's Senior VP, Engineering & Research Alan Eustace wrote. "A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software—although the project leaders did not want, and had no intention of using, payload data."

Google has asked a third party to review what was collected and confirm that it was deleted. It also plans to review its procedures to ensure something similar doesn't happen in the future. The company is turning this whole scenario into a lesson: "This incident highlights just how publicly accessible open, non-password-protected WiFi networks are today."

Indeed, it's certainly surprising to see that this data was collected after Google confidently stated that it wasn't. At the same time, it's oversights like these that provide ammunition for privacy advocates and critics of Google's perceived lack of respect for privacy. It's also a reminder that we truly never know what kind of data is being collected, even when the company in question has the best of intentions.

Share this story

Jacqui Cheng
Jacqui is an Editor at Large at Ars Technica, where she has spent the last eight years writing about Apple culture, gadgets, social networking, privacy, and more. Emailjacqui@arstechnica.com//Twitter@eJacqui